Hacked again? Please help, AD problems

[Tagsley]

Last week we were hacked and I posted here-
thread96-440877 installed a fresh version of Win2k Server and applied all the patches that Doomhamur said to do. This I have the same problem.

I can log on as the administrator to the domain on the solo W2K server, but I cannot access the AD. Noone can log in, and I am terrified of having to do the whole process over again. This could very well mean my job.

Is there a way to repair the AD? I tried using Sunbelt's program to allow me access to the DSA database from the prelogin prompt using MMC, so I know it was intact. However, any changes I made to it did not allow me to access it once I had logged in.

Is there any way to repair the AD database without having to do an entire reinstall? I still have not recovered all the data from our Exchange Server from the last time.

Please please help if you can. I am very desperate.

Thank you in advance.

Mark

 

[GlenJohnson]

Do you have a backup? Glen A. Johnson
Johnson Computer Consulting
MCP W2K
glen@johnsoncomputers.us

Want to get great answers to your Tek-Tips questions? Have a look at FAQ219-2884
"Since we cannot know all that there is to be known about anything,
we ought to know a little about everything."
Blaise Pascal

 

[Tagsley]

Sorry. No backup. We just got everything back online last Friday.

Of course, next time we will. What do I need to be sure to back up so I can restore the AD?

Thanks,

Mark

 

[doomhamur]

Hello again.

the first thing to check from your workstations is to ping the fdqn of your AD from them. IF that doesnt work, then your dns settings are the problem.

Make sure your AD server is the primary DNS server for all machines, including the server itself in tcp/ip properties.

set your DNS server to use forwarders for your ISP dns.

if you can ping with the FDQN (myserver.mydomain.com) and you have reinstalled AD, then you need to rejoin your workstations to the domain.

->assing each workstation to a workgroup, reboot, then joing the domain.

remember that you have a new domain with new SIDs and accounts. set your users to enter a new password when they login.

Also, in the security ananlyzer it says to set "no enumeration of user accounts" to 2, if you did, set it to 1, 2 is too tight for a domain.

Good luck

Doomhamur
Network Engineer
"Certifications? we dont need no stinking certifiaction."

 

[jmgonzalezjr]

Hello Mark,

Did you try uninstalling DNS and then setting up your Active Directory once again (not the entire Win2K install). Go to start, programs, administrative tools, configure your server. See if rebuilding just the AD would work out for you. Good luck!

Jose

 

[Tagsley]

Thanks! I actually got my AD back online. I used secedit to bring them back. Woohoo!

Now if I can get that Exchange Server to fire up I will be estatic.

I found a bunch of files that the hacker dropped into my C:\winnt\system32\drivers\etc directory. They include stuff like firedaemon, rundll32, hidden32 and ClearEL. Also, something called mybot and bnc.

Is there an easy way to check if something is currently broadcasting? I shut down the services that the FireDaemon was running, but am scared shtless there might be something else.

Thanks,

Mark

 

[MFuhge]

any idea how he came in? You had latest patches? any sign in the logs? which services and servers where running?

I'm afraid of such a scenario...